[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] IP address hijacking in OpenVPN 2.0


  • Subject: Re: [Openvpn-users] IP address hijacking in OpenVPN 2.0
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Wed, 10 Nov 2004 18:05:15 -0700 (MST)

On Wed, 10 Nov 2004, sergio simone wrote:

> Hi guys,
> I've successfully deployed OpenVPN 2 in the company I work for. We're 
> very happy with it and we're thinking about opening the vpn to 
> non-technical users too. We're concerned about security tough and the 
> address hijacking issue you talked about some months ago is one of the 
> hurdles we're facing considering that we're doing ipfiltering just like 
> Mathias described in his message.
> We were even thinking about filtering the couple ip address / mac 
> address but mac addresses can be spoofed too so that's not a perfect 
> solution.
> 
> Was there any follow up to the brief discussion I'm pasting below? I've 
> searched but I have not found any.
> 
> Thank you very much for this and for the excellent work you're doing on 
> this great piece of software.

The source address of packets coming through the tunnel is now checked 
when run in TUN mode.  Basically the test is that we don't accept a packet 
from any tunnel if we do not have a route which would allow a return path 
for the packets.

The conversation below is several months old, and the verification that is
described has been implemented in the 2.0 beta series for some time.  
When run in TAP mode, the check is not automatic, but you can use a
"learn-address" script to intercept the appearance of new MAC addresses on
the tunnel and dynamically set appropriate firewall policy for those
addresses.

James

Basically > 
> On 06/mag/04, at 09:15, James Yonan wrote:
> 
> > Mathias,
> >
> > That's a good point -- right now the server doesn't do any source 
> > address
> > checking on client -> server packets.  And I agree with you that the 
> > source
> > address should be checked.
> >
> > I think the way to do this is that a source address will only be 
> > accepted from
> > a particular client if OpenVPN's internal routing table has an 
> > association
> > between that address and the client, either through the client's
> > server-assigned ifconfig address or --iroute routes on the server.
> >
> > James
> >
> > Mathias Sundman <mathias@xxxxxxxxxx> said:
> >
> >> I'm currently using OpenVPN 1.6 to connect several windows users to a
> >> local network using linux and bridging on the server.
> >>
> >> With this I can have diffrent iptables rules for every user as they 
> >> come
> >> in on a diffrent tap device.
> >>
> >> Now I'm thinking of switching to 2.0, and push an individual config 
> >> file
> >> to each user, to be able to do ip filtering with iptables based on the
> >> source IP address.
> >>
> >> What I wonder now is, is there anything in openvpn that prevents a 
> >> user
> >> from changing his openvpn config to use a fixed (--ifconfig xxx) IP
> >> address instead of pulling the config from the server?
> >>
> >> Or what if the user change his IP address on the tap device to a 
> >> static IP
> >> address, that normaly belong to a user with access to more resources 
> >> to
> >> the local network?
> >>
> >> Will OpenVPN drop packets from this user then, if they do not contain 
> >> the
> >> source IP address that was pushed to the user?
> >>
> >> If not, how should I address this problem?
> >>
> >> /Mathias
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users